What’s new in Eficode ROOT: November 2025

Starting from GitHub Enterprise Server 3.17, the single GitHub Advanced Security (GHAS) add-on has been split into two standalone products: GitHub Secret Protection (GHSP) and GitHub Code Security (GHCS). 

From now on, customers can now choose between buying separate licenses for GHSP and GHCS, or purchasing a single GitHub Advanced Security license that bundles both GHSP and GHCS. Existing subscription-based GHAS customers can make this transition choice at their renewal. Also, please notice that new GHAS products support a subscription-based paying model, or a metered plan, where it is possible to pay monthly for actual license consumption instead of reserving licenses.

Automated Dependency Updates: Users can now automatically keep their bun, Docker Compose, and uv dependencies current with Dependabot version updates. Learn more here.

Prioritized Vulnerability Patching: Leverage EPSS (Exploit Prediction Scoring System) scores to prioritize dependency vulnerabilities. This allows users to focus on addressing vulnerabilities that are most likely to be exploited, thereby significantly reducing the risk of actual attacks. Learn more here.

Enhanced pnpm Workspace Support: Developers utilizing pnpm workspaces will benefit from full Dependabot support for pnpm workspace catalogs, leading to more reliable dependency updates. This enhancement prevents lockfile inconsistencies, avoids broken dependency trees, and improves the overall reliability of updates in monorepos. Learn more here.

Automated user provisioning is now generally available through the System for Cross-domain Identity Management (SCIM) standard. SCIM, a prominent standard for user lifecycle management in SaaS applications, allows GitHub Enterprise Server instances utilizing SAML authentication to provision and manage user accounts from an identity provider (IdP). GitHub supports integrations with common IdPs like Entra ID and Okta, but organizations can also use a custom SAML IdP and SCIM implementation tailored to their specific requirements. SCIM can be configured via a supported IdP application or directly through the SCIM REST API. Learn more here.

Fine-grained Personal Access Tokens (PATs) and PAT lifetime policies are now generally available, offering enhanced security. These tokens provide per-organization access, support token approval workflows, and improve auditability by tracking token IDs in audit logs. Additionally, lifetime policies enable configurable token rotation, which helps reduce the use of long-lived PATs within your environment. Learn more here.

Audit log streaming is now generally available for API requests made to your enterprise's private assets.

General Availability of Push Rulesets for Enhanced Control

Push rulesets are now generally available, enabling stricter control over private and internal repositories, including forks. These rules allow administrators to block pushes based on file type, path, or size. Unlike traditional pre-receive hooks, push rulesets offer:

• System-integrated functionality.
• Configuration via both UI and API.
• Comprehensive audit logs.
• An "evaluate mode" for pre-deployment testing.
• Bypass lists for specific exceptions.

Learn more here.

Increased Flexibility with Fork Conversion

Repository administrators can now easily convert a fork into a standalone repository. This action removes the repository from the fork network, discontinuing automatic synchronization with the upstream repository. This feature is particularly useful for:

• Diverging a project in a new strategic direction.
• Maintaining distinct versions of a codebase.

Improved Contributor and Code Frequency Insights

Exploring contributor activity and code frequency insights is now more intuitive and user-friendly, featuring:

• Streamlined navigation.
• Interactive chart legends, allowing users to hide data series for clearer analysis.
• Options to view or download underlying data in CSV and PNG formats.

Learn more here.

Integrators and other webhook consumers can now more easily track changes, as webhook payloads for releases, pull request review threads, and pull request reviews now include an updated_at field. This field contains an ISO8601 timestamp of the most recent modification.

GitHub Mobile now offers enhanced features, particularly for users connected to GitHub Enterprise Server 3.17. Key Updates:

• Quick Project Access: Users can now swiftly view their recent projects via the "Projects" view directly from the Home screen.
• Enhanced Functionality with GitHub Enterprise Server 3.17:
  • Compare Branches: Easily view and compare changes between branches directly from your mobile device.
  • Fork Repositories: Fork public repositories within the mobile application.
  • Projects: Access and interact with GitHub Projects on the go.

Enterprise-owned GitHub Apps can now be centrally managed and shared by enterprise owners across all their organizations. This new feature reduces management overhead and enhances security by eliminating the need to duplicate applications or make them public. Private and internal apps can be transferred to the enterprise level, with automatic permission updates applied across all organizations. Only internal visibility is supported, meaning these apps can only be installed and authorized by users and organizations within the enterprise. Learn more here.

Site administrators managing dependencies with base-pinned images should transition from the deprecated vulcanizer CLI to vulcancli for continued support and compatibility.

In GitHub Enterprise Server 3.20, GitHub will retire the security manager API in favor of the organization roles API. Learn more here.

Real-time job status updates for GitHub Actions workflow notifications in Slack and Microsoft Teams are no longer available. Users still receive notifications when a workflow starts and completes, but intermediate job progress updates have been removed to improve system efficiency.

In GitHub Enterprise Server 3.17, tag protection rules will be migrated to a ruleset, and the tag protection rule feature will no longer be available.

Dependabot is no longer supporting Python 3.8, which has reached its end-of-life. If you continue to use Python 3.8, Dependabot will not be able to create pull requests to update dependencies. If this affects you, we recommend updating to a supported release of Python. As of February 2025, Python 3.13 is the newest supported release.

Dependabot is no longer supporting NPM version 6, which has reached its end-of-life. If you continue to use NPM version 6, Dependabot will be unable to create pull requests to update dependencies. If this affects you, we recommend updating to a supported release of NPM. As of December 2024, NPM 9 is the newest supported release.

GitLab Knowledge Graph (Premium, Ultimate)

The GitLab Knowledge Graph offers comprehensive code intelligence, improving how developers understand and navigate projects. This enhanced context simplifies planning, impact analysis, and collaboration with GitLab Duo agents, accelerating development.

The Knowledge Graph is integral to the GitLab Duo Agent Platform, boosting the accuracy of AI agents. By mapping files and definitions across a codebase, it provides Duo agents with a deeper understanding of relationships within the entire local workspace, leading to faster and more precise answers to complex queries.

This release of the Knowledge Graph focuses on local code indexing, transforming your codebase into a live, embeddable graph database for RAG. Installation is a simple one-line script, allowing you to parse local repositories and connect via MCP to query your workspace. Learn more here.

GitLab Knowledge Graph.

GitLab Duo AI Catalog (Premium and Ultimate)

The GitLab Duo AI Catalog, an experimental feature controlled by the global_ai_catalog feature flag, provides a centralized location for managing and discovering AI agents. These agents are designed to handle complex tasks, such as generating merge requests and answering technical queries.

Key functionalities include:

• Browsing: Explore agents developed by both the GitLab team and the broader community.
• Creation: Develop custom agents tailored to your specific project needs.
• Sharing: Distribute agents across various projects using GitLab Duo Chat (Agentic).

To enable this feature:

• For GitLab.com users: Contact support to activate it for your group.
• For GitLab Self-Managed users: Enable it via the Admin panel or by executing Feature.enable(:global_ai_catalog) in the Rails console.

Requires: Duo Core or Duo Pro or Duo Enterprise

GitLab Duo Model Selection now generally available (Premium, Ultimate)

Organizations now have enhanced control over the AI models powering their development workflows with the general availability of GitLab Duo Model Selection. This new feature allows:

• Administrators and Group Owners: Owners of top-level groups on GitLab.com and administrators of Self-Managed and Dedicated instances can now select specific AI models from various GitLab vendors.
• Users with Multiple Namespaces: GitLab users who belong to multiple namespaces on GitLab.com can set a default namespace to ensure consistent AI model preferences.

Learn more here. 

Model selection

End user model selection now available with GitLab Duo (Premium, Ultimate)

On GitLab.com, end-users can now access the public beta of GitLab Duo's model selection feature. This allows developers to personally control their AI experience by choosing their preferred model for GitLab Duo Agentic Chat directly within the GitLab user interface. Learn more here.

Duo Code Review on GitLab Duo Self-Hosted is generally available (Premium, Ultimate)

GitLab Duo Code Review, now generally available on GitLab Duo Self-Hosted, is designed to speed up your development process while maintaining data sovereignty. This feature identifies potential bugs and suggests improvements directly within your merge requests. It offers broad compatibility, supporting model families such as Mistral, Meta Llama, Anthropic Claude, and OpenAI GPT. Learn more here.

Additional supported models for GitLab Duo Self-Hosted (Premium, Ultimate)

For GitLab Self-Managed customers, GitLab Duo Enterprise now supports a wider range of models. This includes OpenAI GPT-5 on Azure OpenAI, and the open-source OpenAI GPT OSS 20B and 120B models on both vLLM and Azure OpenAI. Learn more here.

Configure how to view issues from the Issues page (all users)

GitLab provides users with unprecedented control over their listing page view. You can now tailor your experience by choosing which metadata is displayed and how work items are opened, allowing you to focus on the information that matters most.

Key Enhancements:

• Customizable Metadata Visibility: Previously, all metadata fields were always visible, which could lead to an overwhelming experience when scanning work items. Now, you can easily turn specific fields like assignees, labels, dates, and milestones on or off, streamlining your view.
• Flexible Work Item Navigation: A new toggle allows you to seamlessly switch between a drawer view and full-page navigation for work items. The drawer view enables quick review of details while maintaining context of your list, ideal for rapid assessment. When more screen space is needed for detailed editing and comprehensive navigation, simply switch to the full-page view.

Learn more here.

New issues filter.

Enhanced parent filtering for epic and issue lists (all users)

The "epic" filter on the Issues and Epics pages has been replaced with a more adaptable "parent" filter. This enhancement allows for filtering by any parent work item, offering greater flexibility than filtering by epics alone. Users can now effortlessly locate child tasks by filtering through their parent issue or identify issues by filtering through their parent epic. This provides improved visibility into your work hierarchy across both issue and epic lists. Learn more here.

New way to filter parent issues.

Issue boards now show complete epic hierarchies (Premium, Ultimate)

Improved issue tracking is now available! When filtering by a parent epic in issue boards, you can now see all issues from child epics. This new feature aligns with the existing functionality of the Issues page, providing a more consistent experience. This enhancement streamlines your project management by offering a complete and reliable view of your epic hierarchy, ensuring no nested issues are overlooked. Learn more here.

Filtering by a parent epic allows you to see child epics.

Secret detection analyzer Git fetching improvements (all users)

Version 7.12.0 of the secret detection analyzer for Eficode ROOT introduces significant improvements to how Git commits are fetched. This update allows the analyzer to parse --depth and --since options from SECRET_DETECTION_LOG_OPTIONS, giving users more control over the number of commits scanned.

The analyzer now intelligently selects fetch strategies based on context. This resolves a known issue where millions of commits were unnecessarily fetched, even with shallow depth configurations. As a result, users will experience faster secret detection scans, especially in large repositories.

These enhancements lead to reduced job timeouts, decreased resource consumption, and more predictable scan performance, with clearer logging that accurately reflects the fetching behavior. Learn more here.

Simulate CI/CD Pipelines against different branch (all users)

The pipeline editor's validation feature now offers enhanced flexibility. Previously, simulations were restricted to the default branch. With this update, you can now simulate pipelines against any selected branch. This allows for more comprehensive testing and validation, ensuring pipelines function correctly across various scenarios, including stable and feature branches. Learn more here. 

You can now select any branch to simulate pipelines against.

CI/CD job tokens can authenticate Git push requests (all users)

CI/CD job tokens can now be configured to authenticate Git push requests to your project's repository. This feature can be enabled via the "Job token permissions" settings in the user interface, or by setting the ci_push_repository_for_job_token_allowed parameter in the project's REST API endpoint. Learn more here.

Additional permissions for push requests.

Operational Container Scanning severity threshold configuration

Operational Container Scanning (OCS) now allows you to configure a severity threshold, so only vulnerabilities at or above your chosen level are reported. This means vulnerabilities below your set threshold will be excluded from the Vulnerability Report, API payloads, and other reporting mechanisms, helping you prioritize the vulnerabilities you want to address. To activate this filtering, set the severity_threshold in your OCS configuration. Learn more here. 

Significantly faster Advanced SAST scanning

This November release introduces a significant improvement: scan runtime has been reduced by up to 78% in benchmark and real-world tests. This acceleration is due to the addition of caching in a performance-sensitive part of the scanning process, resulting in much faster scans for large repositories.

This enhancement is automatically activated in Advanced SAST analyzer version 2.9.6 and newer. You can verify your analyzer version by checking the scan job logs. Learn more here.